[Owasp-leaders] Getting started in AppSec

Andrew van der Stock vanderaj at owasp.org
Tue Oct 21 11:50:57 UTC 2014


I did a talk to unimelb as a capstone lecture last week on a similar
topic to software engineers who are about to graduate. I think I
converted at least a few of them to our cause. My thesis is to think
outside of the box and working together rather than as an adversarial
system of developers (them) versus reviewers (us), avoid the same old
security thinking that got us here in the first place, and burn
security theatre down to the ground. It led to some great post lecture
discussions, where one of the folks was told not to fraternize with
the auditors because it's a conflict of interest. Thus my latest blog
entry:

http://www.greebo.net/2014/10/13/independence-versus-conflict-of-interest-in-security-reviews/

I can look at making sure the PPT doesn't have any (c) issues with
images, but the content is probably a great philosophical start to the
idea of how to bootstrap folks into our industry.

With my new staff, I show them first, then I get them to do it from
then on, with the expectation that they can ask for help or guidance.
I see this sort of like trade school, and I feel strongly that we do
need some formality in there, because we don't want cowboys who think
it's fine to run Burp active scans across production without
consequence. Sooner than later, folks have the same sorts of skills I
have, experience will come in time.

thanks
Andrew

On Tue, Oct 21, 2014 at 4:09 AM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
> Simon Bennetts wrote:
>> So ... can we come up with a
>> simple '5 point plan' (or whatever)
>> for people who are
>> just starting out in AppSec.
>
> Great idea. (Not volunteering though! :-)
>
> One of those early steps of any n-step plan should definitely to get them
> plugged into a local OWASP chapter if there is one in their area.
>
> -kevin
> Sent from my Droid; please excuse typos.
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>


More information about the OWASP-Leaders mailing list